Configuring OAuth Authentication Service
Start course

This course deals with how to deploy, configure, and manage some keys aspects of Azure API management (APIM). In particular, we focus on the authentication mechanism and go into depth about how to set up OAuth 2.0, including creating the Azure AD required application registrations. To help with understanding and troubleshooting the OAuth flow, we utilize Postman to check and validate our configuration.

Next, we take a look at how we can alter API requests at various scopes using API policies. Finally, we look at how to view effective API policies that span multiple scopes and also how to trace API policies during runtime.

Learning Objectives

  • Deploy Azure API Management and import an existing API
  • Gain an understanding of how the configure authentication against APIM using OAuth 2.0
  • Implement API policies against the imported API to alter the API request
  • Use Postman to make API requests against APIM and request and use OAuth authorization tokens
  • Secure the imported API by requiring a valid Azure AD token

Intended Audience



For our example we're going to be using OAuth 2.0, so let's configure the appropriate endpoints. Under the management API service we go to security, OAuth 2.0, and we can see there's no results here, we click add. I've already pre-populated this page here so we're just going to talk through what the results are. So we have the CyberLabs for a display name. We have a client registration URL. I've just made up this URL. The type of grant is the authorization code. The authorization endpoint is the same authorization endpoint we used in Postman. 

So if we go back to our document here, we can see that this was the code we used. The next piece of information we need is the token URL, again, this is the same as we've already used and the token endpoint is here. If we keep scrolling down we can see we need the client credentials, front-end client ID, and the secret. Which we can see here is that same secret key that we've put in the text file. And if we click create, we can see that OAuth service is added. 

The next step is to use this auth service with our API. So let's go to the APIs, Demo Conference, and we look at the settings for the Demo Conference API. If we scroll down, we can see security. So let's select OAuth and we will get a list of all the configured OAuth 2.0 servers. So we've only got one, that's fine, we'll click save. We've now connected this API to the OAuth server. 

Next step is we wanna try and view this authorization code. What we're going to do is launch an incognito browser just so that we make sure we end up with the correct user. I'm gonna go log into, and I'm going to use a user that I've already configured in the Azure AD. Which is in the onmicrosoft and keep Jessica signed in, yes. So now we're signed in as a user in the CyberLabs domain. And we want to take the developer portal and log in here. So I'm gonna use my other user. This would probably be Jessica as well, but this is the way we've set it up for now. And if we go to the Demo Conference API, and let's go to the GetSessions, and click try it. 

We can see now we've got the subscription key, it's already picked up the primary subscription. But we have a CyberLabs authorization. So if I select authorization code, we're getting a request here from CyberLabs for the app API to get access to the backend app and read the profile. So we're gonna accept that. And what we can see here is expected, this is saying that again, the reply URL isn't valid. 

So I wanted to show you a way you can grab this information to try and understand what it's doing. If you select this header here to Notepad, we'll just do a quick replace here to help make this readable. 3a becomes a colon and the percent 2f becomes a forward slash. 

We can now see that this application is looking for a redirect to cloud portal docs authorize callback. So this is the URL now that we need to authorize again against our application. We go to Reply URLs, we've already got it loaded. Paste that in there and save. cloud portal demo docs CyberLabs console, which is the complete URL for us to get to this developer portal. So let's just give this a hard refresh. 

Let's go to the get authorization token again, and we can see that Bearer Token's come through. So if we just show that token, let's just validate what we've got there. Copy that token, we'll go to the And we'll paste that into our debugger, and we can see we've got the backend application, the front-end application, and we're logged in as Jessica. Oh if we try and execute our request, we're getting the response 200 back, which is great. Successfully set up the OAuth server. We have successfully connected that OAuth server to our API, collected an authorization code through the browser. 

Let's just try this through Postman, see what we get. So if we put this in, now we don't have any token here, but we've still got the data back. So what we actually need to do is apply a policy to check for valid token, which we will do in the next section.

About the Author

Matthew Quickenden is a motivated Infrastructure Consultant with over 20 years of industry experience supporting Microsoft systems and other Microsoft products and solutions. He works as a technical delivery lead managing resources, understanding and translating customer requirements and expectations into architecture, and building technical solutions. In recent years, Matthew has been focused on helping businesses consume and utilize cloud technologies with a focus on leveraging automation to rapidly deploy and manage cloud resources at scale.